National Security News

Reporting the facts on national security

National Security News

National Security News

    • Cyber Russia

    Russian military Unit 29155 cyber saboteurs exposed

    Val Dockrell Posted on
    Russian suspects wanted by the FBI involved in a conspiracy to commit criminal cyber activities against Ukrainian government. (Source: AP Photo/Stephanie Scarbrough)

    Western intelligence agencies have accused a Russian military unit consisting of assassins and saboteurs as being behind a number of cyber attacks related to the war in Ukraine.

    The Russian Military Intelligence (GRU) Unit 29155 unit was named as responsible for global cyber operations targeting critical infrastructure around the world since at least 2020.

    Intelligence sources have stated that the unit was behind the WhisperGate malware which targeted Ukrainian organisations and destroyed data ahead of the Russian invasion of Ukraine.

    A joint cyber advisory notice said that Unit 29155 cyber actors carried out attacks against 26 members of NATO.  

    The attackers defaced websites, scanned for vulnerabilities in computer systems, stole data, and leaked confidential information.

    Intelligence agencies believe the attacks are primarily targeting critical infrastructure and key resources, such as government services, finance, transportation, energy, and healthcare.

    The advisory notice stated: “Since early 2022, the primary focus of the cyber actors appears to be targeting and disrupting efforts to provide aid to Ukraine.”

    The U.S. Department of Justice charged five GRU officers in connection to the unit’s cyber operations.

    The individuals named in the indictment include Yuriy Denisov, a colonel in the Russian military and a commanding officer of the unit, as well as four lieutenants who worked on cyber operations, Vladislav Borovkov, Denis Denisenko, Dmitriy Goloshubov, and Nikolay Korchagin, and a civilian co-conspirator, Amin Sitgal.

    (Source: FBI)

    Paul Chichester, National Cyber Security Centre Director of Operations, said: “The exposure of Unit 29155 as a capable cyber actor illustrates the importance that Russian military intelligence places on using cyberspace to pursue its illegal war in Ukraine and other state priorities.”

    In recent years, the military unit, which is also known as the 161st Specialist Training Centre, has been linked to a number of high-profile attacks.

    The group is associated with notorious assassinations such as the Salsbury poisonings of Sergei Skripal, a Russian military intelligence officer, who later became a double agent for the UK, and his daughter Yulia.

    While the event which used Novichok nerve agent, drew public attention to Unit 29155, the group had been active for many years prior, targeting Bulgarian arms dealers who were attempting to supply weapons to Ukraine.

    In 2015, a Bulgarian arms dealer Emilian Gebrev and his son were poisoned with a neuroparalytic substance in Sofia.

    Bellingcat investigative journalism group found that the poisonings were linked to as many as eight GRU officers who were part of Unit 29155.

    Gebrev had been selling weapons and ammunition to Ukraine in the early days of Russia’s invasion of eastern Ukraine in 2014. The production manager of Gebrev’s arms factory was also poisoned.

    The Russian unit has also been accused of a series of destabilising activities across Europe following investigations by Bellingcat.

    CCTV of Ruslan Boshirov and Alexander Petrov, accused of the Salisbury poisoning. (Source: Alamy)

    One investigation revealed that Unit 29155 played a central role in the 2014 annexation of Crimea. The unit is believed to have infiltrated the region, provoking unrest, and creating a pretext for Russian intervention.

    In Moldova, the unit is suspected of supporting pro-Russian protests that led to the formation of the breakaway Transnistria region.

    In 2016, a failed coup attempt was thwarted in Montenegro. Serbian nationalists, with alleged Russian backing, were accused of plotting to overthrow the government and prevent Montenegro from joining NATO. The plot included seizing the country’s parliament and assassinating the prime minister. Investigations by Bellingcat linked Unit 29155 to individuals involved.

    Additionally, the unit was linked to attacks on the World Anti-Doping Agency in Switzerland between 2016 and 2017, which was allegedly aimed at discrediting anti-doping efforts and protecting Russian athletes.

    Earlier this year, an investigation by media outlets CBS, Der Spiegel, and The Insider revealed Unit 29155 as the likely culprit behind mysterious attacks on U.S. officials and their families, known as Havanah Syndrome.

    The investigation found a link between the 29155 intelligence unit and an acoustic energy weapon, a type of device that uses sound which can disorient and injure humans. 

    Christo Grozev, Bulgarian investigative reporter and former lead Russia investigator with Bellingcat, said in an interview: “These are people who are trained to be versatile assassins and sabotage operators. They’re trained in counter surveillance. They’re trained in explosives. They’re training in using poison and technology equipment to inflict pain or damage to the targets.” 

    Britain’s National Cyber Security Centre said that the Unit 29155 had “expanded its tradecraft to include offensive cyber operations”.

    Val Dockrell
    Val Dockrell is a London-based Senior Investigator and Open Source Intelligence (“OSINT”) specialist who has led in-depth investigations in multiple jurisdictions around the world. She also speaks several languages and is a member of the Fraud Women’s Network. Her X (formerly Twitter) handle is @ValDockrell.
    View all posts

    You Might Also Like